Analysis
-
max time kernel
150s -
max time network
161s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
24-12-2023 19:39
General
-
Target
0e2892c5f3d3558d6575b729b24caf3d.exe
-
Size
504KB
-
MD5
0e2892c5f3d3558d6575b729b24caf3d
-
SHA1
ec36cbd5cbecdf811ad51eac29d378d9da3d6aae
-
SHA256
2070bf8a21fe853a0cba4114fcbba960dacf6f694404daaac1ae32f9606af6ca
-
SHA512
c96561c00a630f88573c6dd4570b047df74529f47e07d02a330cc7f0c9d92f6f6753718d8d9318801e78a8bd908adabbbad71f494d29d55c2d674fbfcf1170ac
-
SSDEEP
12288:w6+cKLjieaEKyrV8jh9tLI9hBjC9mA/a/hjXgrtxrlYRyHNKr4VrFBKhv7RHKzkm:wIp
Malware Config
Signatures
-
UAC bypass 3 TTPs 1 IoCs
-
Windows security bypass 2 TTPs 1 IoCs
-
Executes dropped EXE 2 IoCs
-
Windows security modification 2 TTPs 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 18 IoCs
-
System policy modification 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\0e2892c5f3d3558d6575b729b24caf3d.exe"C:\Users\Admin\AppData\Local\Temp\0e2892c5f3d3558d6575b729b24caf3d.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\CMD.exeCMD.exe /k start %TEMP%\1.jpg2⤵
-
-
C:\Windows\SYSTEM32\CMD.exeCMD.exe /k start %TEMP%\0.exe2⤵
- Suspicious use of WriteProcessMemory
-
-
C:\Users\Admin\AppData\Local\Temp\0.exeC:\Users\Admin\AppData\Local\Temp\0.exe1⤵
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\0.exe"C:\Users\Admin\AppData\Local\Temp\0.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
199KB
MD58d6a8e4ed85ebaa57bd236864a632832
SHA13a51b94c507f7d6c2a10836cb8622266622a46b4
SHA256563f1247504429d0f1604ed045ada1ef4b8c7a35cc276c5b15af46cd1f375075
SHA5128c14649bdfb750c5523f24244fcc680685f2b24a6ab09d405402df6bc8f17a66056f5b11e7a4bb0f7e70807113acb62c46ef33663dd8f37f2a6366ee757a479f
-
Filesize
117KB
MD5a273cdf0c81278b73197a3bc0f889a06
SHA1cfc19c947fc1d68bb5d2a1a94f82a43cd70205aa
SHA256831bca16412202314be020e93edcedef450f02aea0c1e4737ec5632c69a56708
SHA5129b549fe1defadc55085d5effee1f9bd6374ebe9d613feca04dd6b7770fbb60c6ee358d49208962c562a63a160c6bb340674409d3dfe648dd0500e2678872131d
-
Filesize
51KB
MD5be41e0a11eb96b38c439b730a8a35060
SHA128841ae03136aab3399b772a0a2388d5a78297e7
SHA25622cd0652ce87c1dfc33eb9c78a08bf4263ea94e634e3c171870c548119a52849
SHA512656eaf52fbba8e13946896e4fd989f4dddaee0f0ed917ea67a26a8a709bd603bdc50df1531eb04a75a2d8604367b56eff0afdf4422b190ec93b43f373123bef4
-
Filesize
9.6MB
-
Filesize
64KB
-
Filesize
664KB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
36KB
-
Filesize
32KB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
72KB
-
Filesize
32KB
-
Filesize
72KB
-
Filesize
28KB
-
Filesize
4KB